Marcela Melara
Marcela Melara
+1 to resolving this during v1.0. Clearly identifying who is responsible for meeting a requirement should be part of the discussion on the set of v1.0 requirements, and which SLSA...
+1 to resolving this for v1.0.
I assume by optional requirements, you mean the ones labeled with "O" on this page? https://slsa.dev/spec/v0.1/requirements Source requirements aside, there are two optional requirements "Reproducible" (Build reqs), which only applies...
@shaunmlowry Good point. For optional requirements that apply to a specific level, I think it makes sense to bump them up to the next level. As an aside, I can...
Stopping by to bump this issue, since this topic came up at today's Specification SIG meeting. I'm in favor of splitting the current "Hermetic" requirement, and for v1.0 to only...
@melba-lopez These figures are really helpful, thank you for putting them together! I think they distill some of the major use cases for separating source repo integrity from build integrity....
Based on the Hybrid OSS/Proprietary meetings today and last month, two points have emerged out of these discussions: (1) developing the source management/repo SLSA requirements is necessary but warrants more...
Per the Specification SIG meeting today, how should we mark this issue? Can we create a post-1.0 tag?
This seems very related to the discussion happening over at #508 as well.
Thanks for clarifying! This MPK-based hardening is something I proposed for Graphene/Gramine a few years ago, so I'm happy to see it implemented in Occlum. Does this mean that multi-processes...